lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20211102150331.526nn2e6oqjbf6ur@gilmour>
Date:   Tue, 2 Nov 2021 16:03:31 +0100
From:   Maxime Ripard <maxime@...no.tech>
To:     He Ying <heying24@...wei.com>
Cc:     wens@...e.org, airlied@...ux.ie, daniel@...ll.ch,
        jernej.skrabec@...il.com, dri-devel@...ts.freedesktop.org,
        linux-arm-kernel@...ts.infradead.org, linux-sunxi@...ts.linux.dev,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH -V2] drm/sun4i: Grab reference of connector before return
 connector from sun4i_tcon_get_connector

Hi,

On Tue, Nov 02, 2021 at 04:46:28AM -0400, He Ying wrote:
> From the comments of drm_for_each_connector_iter(), we know
> that "connector is only valid within the list body, if you
> want to use connector after calling drm_connector_list_iter_end()
> then you need to grab your own reference first using
> drm_connector_get()". So fix the wrong use of connector
> according to the comments and then call drm_connector_put()
> after using connector finishes.
> 
> Signed-off-by: He Ying <heying24@...wei.com>
> ---
> 
> V2:
>  Use proper subject prefix
> 
>  drivers/gpu/drm/sun4i/sun4i_tcon.c | 18 +++++++++++++-----
>  1 file changed, 13 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c
> index 9f06dec0fc61..24fa6784ee5f 100644
> --- a/drivers/gpu/drm/sun4i/sun4i_tcon.c
> +++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c
> @@ -47,12 +47,12 @@ static struct drm_connector *sun4i_tcon_get_connector(const struct drm_encoder *
>  	drm_connector_list_iter_begin(encoder->dev, &iter);
>  	drm_for_each_connector_iter(connector, &iter)
>  		if (connector->encoder == encoder) {
> -			drm_connector_list_iter_end(&iter);
> -			return connector;
> +			drm_connector_get(connector);
> +			break;
>  		}
>  	drm_connector_list_iter_end(&iter);
>  
> -	return NULL;
> +	return connector;

Connector might be uninitialized if we don't find one here

>  }
>  
>  static int sun4i_tcon_get_pixel_depth(const struct drm_encoder *encoder)
> @@ -65,6 +65,7 @@ static int sun4i_tcon_get_pixel_depth(const struct drm_encoder *encoder)
>  		return -EINVAL;
>  
>  	info = &connector->display_info;
> +	drm_connector_put(connector);
>  	if (info->num_bus_formats != 1)

We're still accessing connector->display_info here, but it might have been
freed already.

Maxime

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ